Hi, I have a question about the bugs linked to: https://bugzilla.mozilla.org/show_bug.cgi?id=1618610 and also https://bugzilla.mozilla.org/show_bug.cgi?id=1651119
There are some webcompat issues linked as well. Are we confident that these issues are fixed?Can we close them? I would prefer a comment in them saying what is the status, or do we have a doc that analyzes these issues? Do these issues reproduce in Chrome or are they Firefox specific? In the latter case that would be a bug in our code. dragana On Tue, Nov 30, 2021 at 1:45 PM Niklas Gögge <[email protected]> wrote: > As of Firefox 96 we intend to ship “SameSite=Lax by default”, > “SameSite=None only if secure” and “Schemeful SameSite” on all platforms. > These features have been developed behind the following preferences: > “network.cookie.sameSite.laxByDefault”, > “network.cookie.sameSite.noneRequiresSecure”, and > “network.cookie.sameSite.schemeful”. > > Link to the proposal: > https://datatracker.ietf.org/doc/html/draft-west-cookie-incrementalism-01 > > Summary: > "1. Treat the lack of an explicit "SameSite" attribute as > "SameSite=Lax". That is, the "Set-Cookie" value "key=value" will > produce a cookie equivalent to "key=value; SameSite=Lax". > Cookies that require cross-site delivery can explicitly opt-into > such behavior by asserting "SameSite=None" when creating a > cookie. > 2. Require the "Secure" attribute to be set for any cookie which > asserts "SameSite=None" (similar conceptually to the behavior for > the "__Secure-" prefix). That is, the "Set-Cookie" value > "key=value; SameSite=None; Secure" will be accepted, while > "key=value; SameSite=None" will be rejected. > 3. Require both the scheme and registrable domain of a request's > client's "site for cookies" to match the target URL when deciding > whether a given request is considered same-site. That is, a > request initiated from "http://site.example"; to > "https://site.example"; should be considered cross-site." > > Google Chrome has already shipped these features. > > Bug to turn on by default: > https://bugzilla.mozilla.org/show_bug.cgi?id=1617609 > > SameSite MDN Docs: > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite > web-platform-tests: > > https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite-none-secure > > https://github.com/web-platform-tests/wpt/tree/master/cookies/schemeful-same-site > https://github.com/web-platform-tests/wpt/tree/master/cookies/samesite > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/454e63d5-17fb-45d6-a0d2-ab277d049de3n%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/454e63d5-17fb-45d6-a0d2-ab277d049de3n%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CACOB9hDHfAEj%3DpziqMmSK9GPzOwbsBb0yMLXEZ_OoGJdk1LayA%40mail.gmail.com.
